How to avoid email spoofing?

Hi,

so having setup phpmailer i am now wanting to allow people to email a specific address for campaign responses.

I tested everything with my own email and it was going to spam. I’m worried this will happen with my form submissions as it will come from my server by say it is coming from the submitted address.

How do i stop this?

I see that there is the option to have ‘From’ and ‘reply to’ in phpmailer.

If i set the from to an email address on my server and the reply to as the users email would that be ok? can the from name be the users name? but with my servers email address.e.g.

$mail->setFrom(‘email@myserver.com’, $fullname);

$mail->addReplyTo($users_email, $users_fullname);

(yes i have validated/santiized those variables)

thanks

That will help if your server has an MX record in DNS.

ah ok so i just checked and it has an mx record. It’s whatever was setup by 1and1. Do i need to change it to anything or leave as is. I’ve set up an email address on my account to use.

thanks

You leave it as is. The MX record tells the DNS lookup that your domain is (also) a mail server.

cool thanks.

I added a bit to my original post which you might not have seen yet…

If i set the from to an email address on my server and the reply to as the users email would that be ok? can the from name be the users name? but with my servers email address.e.g.

$mail->setFrom(‘email@myserver.com’, $users_fullname);

$mail->addReplyTo($users_email, $users_fullname);

any ideas if that would be ok to do? or does my server email and name have to match each time.

Yes, since it’s not part of the email address. Although it makes no sense to do so as you have this info already in the reply-to address.

Its a consultation response that we’ve pre-written for people to amend as they want and email to the consultation email. I didn’t want thousands of emails all with the same name in a list as it has to be individuals that send the response. if that makes sense.

I just hope i haven’t got our server blocked already. doh.

Then it makes more sense to customise the email’s subject line.

that is a good point. I’ll have to ask our campaigns team though what they want to do. At worst i could just append the users name to the subject e.g. John Smiths Consultation response as i already have that variable so wouldn’t need to ask for a subject line as well.

thanks for your help much appreciated.

You should also look into SPF and DKIM.

DKIM is royal PITA to set up, but helps a lot preventing email being classified as spam. SPF is easy to set up and also helps as well, but not as much as DKIM.

The easiest route is to pay a few pennies and use a mailer service to handle mail for you. They have all this set up, saving you from a lot of head aches.

ah ok. I’ve found where to add an spf on 1and1 but not sure what i put in ‘hostname’? can i leave it blank?

It has a preview which has my domain name in it and some other bits. not sure if its secret info so i’ve changed the details but format is like this:

mysite.net 3600 IN TXT "v=spf1 include:_spf.somewher.net include:_spf.someserver.de ~all" 

would that do the job? the only option i have is to add a hostname and the weighting of fail.

thanks

What happens when you fill in a domain? How does the preview change?

ah i pressed save without anything in there and it saved it with ‘@’ as the hostname.

I did a lookup like this page suggests https://www.gfi.com/support/products/kbid002665 and it returned but says 'non-authoritive answer: … ’ and then the server address info listed in the spf. Does that mean it’s working to a certain extent?

Send an email to your gmail account from the server, open the mail in gmail, click “Show original” in the three dot menu in the top right corner of the email and you will see a summary of SPF and DKIM and if it validated or not.

Maybe other clients have that as well, but I only use gmail, so…

awesome that is really useful to know. I’ve just tested it and it returned a ‘pass’ for the spf so i guess that means all is good.

now just have to work out why i’m not getting an autoresponse from the email we are sending to. Another website doing the same is getting them so i am trying to work out what we have done differently.

I might call the department and see if they have blocked us as it is a public consultation so hopefully they will unblock us if that is the case.

Thanks

ah so i realised i wasn’t using the smtp part of phpmailer so it was defaulting to the mail() funtion which sends in a different way. Once i changed this i got an auto response back.

I used the settings here https://github.com/PHPMailer/PHPMailer/issues/816 for 1and1.co.uk as i couldn’t get it to work until i found cafiah’s comment

‘Thanks a lot for this thread, I was fighting with 1and1 smtp mailing for 1 week… and finally this is all about smtp.1and1.com on port 25 rather than using auth.smtp.1and1.fr on port 465 !’

Once i changed to port 25 if worked.

Next problem…

I am still wanting the auto response to return to the users email not the sender (my website). I don’t understand how another website is doing the same but getting the autoresponse to the user??? are they likely to be just using the ‘from’ address and getting away with spoofing? i can’t see any other way they could be doing it.

Then tell the auto-responder to use the reply-to address.

not my auto-responder its a DEFRA (UK government department).

So i know this is technically wrong but i set the from address as the user address and it is now returning the autoresponse so it must be getting through. I don’t really like doing that but as it is working and everything else isn’t it’s currently my only option.

thanks all.

Simple reason, the autoresponder does not use the reply-to (as it should) but the from address.

Alternately you could catch the auto-response and forward it to the client.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.